Descritpion
This article describes the FortiSOAR™ MITRE ATT&CK Content Pack developed for MITRE ATT&CK Framework. This content pack enables users to use the information and knowledge base that’s provided by the MITRE ATT&CK Framework to its full extent.
'MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community'.
Setting up the MITRE ATT&CK Content Pack
It is possible to use the MITRE ATT&CK content pack to map alerts, incidents, and indicators to MITRE Tactics and Threat Actors; and also hunt for specific tactics in your environment using pre-configured playbooks.
The process of deploying the MITRE ATT&CK content pack varies based on whether you have deployed the Enterprise, i.e., Incident Response Content Pack or the MSSP Content Pack.
Enterprise or Incident Response Content pack
The MITRE ATT&CK content pack is included as part of the Incident Response Content Pack.
MSSP Content Pack
In the case of MSSP, it is possible to individually import the MITRE ATT&CK content pack using the fsr-cp-mitre-attack.zip attached to this document as explained in the following Importing the MITRE ATT&CK Content Pack section.
Importing the MITRE ATT&CK Content Pack
Important: You must install the MSSP Content Pack before you import the MITRE ATT&CK Content Pack.
1) Download and extract the fsr-cp-mitre-attack.zip file that is attached to this document.
2) Unzip and import the fsr-cp-mitre-attack.zip file using the following steps:
- Open the FortiSOAR instance, and click System Settings.
- In the Application Editor' section, click Import Wizard.
- On the 'Import Wizard' page, select Import From File to open the Import Wizard.
- Upload the fsr-cp-mitre-attack.zip file and select Continue.
3) On the 'Configuration' page, review the list of configurations that are displayed, and then click Continue.
Important: All the configuration options displayed on this page are required.
4) On the 'Review Import page', review the import details that it is imported and then select Run Import to begin the import process.
Once the import is completed, the MITRE ATT&CK is deployed.
Configuring the MITRE ATT&CK Content Pack
Once the MITRE ATT&CK Content Pack is deployed, do the following configurations:
1) Verify MITRE ATT&CK connector is installed successfully.
2) Configure MITRE ATT&CK connector and verify health check show as Available.
3) Setup data ingestion for the MITRE database using the MITRE ATT&CK Connector.
4) Setup modules to lookup MITRE ATT&CK Tactics and Groups.
5) Leverage Hunt Playbooks to look for specific tactics in theenvironment. Use cases and screenshots from some hunt playbooks are included in the Use Case Workflow section.
Integrations used
- MITRE ATT&CK.
Inside the MITRE ATT&CK Content Pack
MITRE ATT&CK Modules:
- Groups.
- Tactics.
- Techniques.
- Sub-techniques.
- Mitigations.
- Software
- MITRE ATT&CK Module View Templates.
- MITRE ATT&CK Picklists.
- MITRE ATT&CK Matrices.
- MITRE ATT&CK Software Types.
- Roles.
- Updates to the default Full App Permissions Role to include permissions for the new MITRE modules.
- New MITRE Admin Role.
- Hunt Playbook Collections.
- Access Token Manipulation.
- SID-History Injection (T1134.005).
- Boot or Logon Autostart Execution.
- Winlogon Helper DLL (T1547.004).
- Credential Access.
- OS Credential Dumping (T1003).
- Defence Evasion.
- Deobfuscate/Decode Files or Information (T1140).
- Rogue Domain Controller (T1207).
- Event Triggered Execution.
- AppInit DLLs (T1546.010).
- Hidden Files and Directories (T1564.001).
- Netsh Helper DLL (T1546.007).
- Screensaver (T1546.002).
Process Execution:
- Dynamic Data Exchange (T1559.002).
- LSASS Driver (T1547.008).
- XSL Script Processing (T1220).
- Signed Binary Proxy Execution.
- CMSTP (T1218.003).
- Compiled HTML File (T1218.001).
- Control Panel Items (T1218.002).
- InstallUtil (T1218.004).
- Mshta (T1218.005).
- Regsvcs/Regasm (T1218.009).
- Rundll32 (T1218.011).
System Services:
- Service Execution (T1569.002).
- Modulars: These playbooks are used for deduplication and linking of hunt-related records.
Setting up Data Ingestion
The MITRE ATT&CK Connector leverages the ingestion wizard for seamless ingestion of the MITRE ATT&CK Framework on a set schedule and also provides inputs that specify which MITRE ATT&CK matrix should be used for pulling the data.
For more information on setting up data ingestion, see the MITRE ATT&CK connector document that is included in the FortiSOAR Connectors listing page.
Important.
By default, data ingestion for MITRE is configured with sample data.
To get complete MITRE data, open the connector step from the data ingestion playbook and change the action from 'Get MITRE Sample Data' to 'Get MITRE Data'.
Also, ensure that a ‘Weekly Update Schedule’ to keep the data synchronized with the latest updates in the MITRE ATT&CK Framework is added.
Use Case Workflow
Hunt playbooks are designed to provide a basic structure and usable examples for conducting MITRE ATT&CK specific threat hunting operations using FortiSOAR.
All Hunt playbooks have the following workflow pattern:
- Manual trigger of the hunt playbooks by users that prompts a SIEM choice between Splunk and Elastic.
- Run a query based on the MITRE Technique details on the selected FortiSIEM.
- Retrieve query results.
- Create alerts based on the query results.
- Add comments on created alerts that describe the workflow resolutions.
- Deduplicate the comments that create clutter.
- After a hunt playbook is executed, the new alerts are linked to the appropriate MITRE Techniques and/or Sub-techniques.
Screenshots of ‘Hunt’ Playbooks used in user cases
Screenshot from the 'Deobfuscate/Decode Files or Information (T1140)' Hunt playbook.
This playbook demonstrates the use of Certutil or copy /b to deobfuscate data/files:
Screenshot from the 'Hidden Files and Directories (T1564.001)' Hunt playbook.
This playbook hunts for attrib.exe, which is used to hide files.
Screenshot from the 'Link ATT&CK technique to Alert' playbook.
This playbook links the ’Alert’ records that were created as a result of Hunt playbooks to their related MITRE ATT&CK techniques and sub techniques.
Setting up the Navigation View
By default, the content pack does not include the navigation view that contains the new MITRE modules.
This is because the navigation view imports overwrite the view altogether.
Therefore, after the content pack is imported, it is necessary to add the new modules to the navigation view.
The following screenshots describe this process.
1) Log onto FortiSOAR and select Settings. Then in the Application Editor section, select Navigation.
This displays the Navigation Editor.
2) On the Modules tab, select all the MITRE modules and then select Add As Group to add all the modules as part of their own drop-down folder on the left navigation pane:
3) Change the name of the group, add an icon to the folder as per requirements.
It is also possible to change the names of the module pages. MITRE ATT&CK modules appear as follows on the left navigation:
For information on the FortiSOAR IR Content Pack:
